How to Implement Secure, PCI-Compliant Access Controls

By Dave Olander |
Posted 2010-02-18

How to Implement Secure, PCI-Compliant Access Controls

Many legacy systems are simply not aligned with current business needs. Many offer limited value in today's dynamic business and regulatory environment. Next-generation access solutions evolved from the need to manage a smaller group of high-performing or trusted users such as database administrators, users accessing credit card data, external auditors working remotely, and outsourced or other business partners.

Focused on the "control" piece of access control, next-generation systems are lightweight, agile and plug into existing network infrastructure. As a result, they are becoming widely recognized as an efficient, cost-effective way to integrate strong network controls that deliver the security and compliance benefits required for today's business landscape.

For instance, Section 7 of the Payment Card Industry Data Security Standard (PCI DSS) requires that access to cardholder data is restricted access by business "need-to-know." This means that access rights are granted to only the least amount of data and privileges needed to perform a job. Section 7.1 of the PCI DSS limits access to system components and cardholder data to only those individuals whose job requires such access.

Section 7.2 of the PCI DSS requires merchants to "establish an access control system for systems components with multiple users that restricts access based on a user's need to know, and is set to 'deny all' unless specifically allowed." Section 8 of the PCI DSS requires a unique ID for each person with computer access to ensure that actions taken on critical data and systems are performed by and can be traced to known and authorized users.

In order to meet both the letter and the spirit of the PCI DSS, next-generation access control systems should have the following six attributes:

Attribute No. 1: Right-size permissions based on a zero trust model

At the start of any technology deployment, common sense dictates an audit of current access polices to see if they are aligned with the needs of the business. In response to a host of factors, many organizations are rethinking their access policies and finding that they are way more open than the needs of the business dictate. As a result, they are recalibrating to both the letter and spirit of PCI DSS requirement 7.2: deny all unless specially allowed. They're also taking it further to make sure that those who are allowed are closely monitored. This "zero trust" access model allows organizations to adhere to PCI mandates, even when dealing with users (such as vendors, outsourced personnel and other third parties) who access systems from unmanaged endpoints.

Implement Fine-Grained Enforcement

Attribute No. 2: Implement fine-grained enforcement

Because next-generation access control solutions address the need to monitor the activities of smaller sets of privileged users, they should not only monitor but also enforce and remediate in real time if they are to add any significant value. An analogy can be drawn to an intrusion detection system (IDS)/intrusion prevention system (IPS). The potential downside of a false positive of an IPS disrupting business results in a significant barrier to their prevention capabilities being turned on. However, access control without the ability to control user activities on the network is not access control, it is access management-two different things.

Attribute No. 3: Integrate audit capabilities to validate controls

Section 8 of the PCI DSS states that actions taken on critical data and systems are performed by and can be traced to known and authorized users. Because of these added security, operational and internal/external compliance requirements, access control solutions must provide robust reporting and auditing capabilities. Next-generation access solutions record every session and offer Tivo-like search and replay capabilities. That kind of functionality provides an indisputable audit trail that can be used for PCI DSS compliance. And from an e-discovery and security operations perspective, it eliminates any doubt of what occurred at any given point in time.

Attribute No. 4: Automate all the requirements from access to audit

Automation enables processes to scale. Because employees, business partners and others come and go, relying on manual upkeep of access policies is an open invitation to a security breach. Introducing automation eliminates manual error or intervention and dramatically streamlines management.

Attribute No. 5: Deploy an identity-aware infrastructure

Sections 7 and 8 of the PCI DSS require that access to cardholder data be determined by an individual's need to know. In other words, only authorized personnel should have access. What this means in practical terms is that you must limit access to computing resources and cardholder data to only those people whose jobs necessitate it. Not the device but the person. When credentials are bound to the identity of the individual and completely integrated with existing authentication and directory systems, this allows for the creation and management of granular and explicit access policies.

Create Backward and Forward Compatibility

Attribute No. 6: Create backward and forward compatibility

Interoperability with the relevant set of related systems should be a given with any emerging technology. In the case of access control and to meet PCI requirements, the base-line integration points are with LDAP, Active Directory, remote and network authentication systems (TACACS and RADIUS), configuration and change management systems, encryption applications, and even security information management (SIM) systems.

From an architectural perspective, many large companies keep PCI data on mainframe systems which, despite any potential interoperability issues, are still critical systems. As companies embrace virtualization as a way to maximize resources while minimizing costs, all potential support and interoperability issues specific to virtual environments must be considered as well.

As the first mandate developed specifically for ensuring a specific set of best practices for information security, the PCI DSS standard has been instrumental in aligning security operations to business processes. With other mandates and laws such as the Health Insurance Portability and Accountability Act (HIPAA) undergoing refinements to make security controls more clear-cut and effective, the vendor community has stepped up and made compliance management a reality-enabling security managers to automate critical aspects of compliance-driven audit preparation and reporting.

As security teams have learned time and time again, when you automate highly-manual, error-prone processes, the result is almost always an improved security profile. In an industry not known for good news, it's worth acknowledging the progress that IT security professionals, lawmakers, vendors and other members of the information security ecosystem have made in aligning security and compliance objectives.

Dave Olander is President and CEO at Xceedium. Dave assumed the President and CEO position in January 2010. Prior to that, Dave served as senior vice president of engineering. A seasoned executive, Dave joined Xceedium from netForensics where he was vice president of engineering. At netForensics, Dave led strategic development of their security information management product family. Prior to netForensices, Dave was at Raritan where he instituted new engineering processes to accelerate delivery of Raritan's second-generation digital KVM switch.

Dave has over 25 years of senior leadership experience and product engineering management with HP, AT&T Bell Laboratories, BEA, Novell, UNIX System Laboratories and Improv Technologies. Dave's product experiences span UNIX operating systems, middleware platforms, out-of-band access solutions, and security software. Dave holds a Master's degree in Computer, Information and Control Engineering from the University of Michigan, and a Bachelor's degree in Computer Science from Clarkson University. He can be reached at dolander@xceedium.com.